2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe
Size

479KB
MD5

00b25d864d4a5e11a88e75f122dddbce
SHA1

98efb09b8a4654f59719fc6c6c7ea474dd6f1619
SHA256

2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63
SHA512

5283aa2d027a7a87159f7206645aa98847b8e01d1cc8a0181e77eaa7d4a72f7ca2824a06e60fae688f7bcae020c04403805f946002830a6a5341c2016352ca9e
SSDEEP

12288:vMrky9086iW118c0+abSG+W9IL4yAciUUE9EPk9cxV:ryzhWf8bSNEHQtB9Q

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k9810836.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k9810836.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k9810836.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k9810836.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k9810836.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k9810836.exe

Executes dropped EXE 3 IoCs

pid	Process
1236	y2667631.exe
1940	k9810836.exe
1888	l8219231.exe

Loads dropped DLL 6 IoCs

pid	Process
1648	2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe
1236	y2667631.exe
1236	y2667631.exe
1940	k9810836.exe
1236	y2667631.exe
1888	l8219231.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k9810836.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k9810836.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2667631.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2667631.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1940	k9810836.exe
1940	k9810836.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	k9810836.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1236	1648	2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe	28
PID 1648 wrote to memory of 1236	1648	2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe	28
PID 1648 wrote to memory of 1236	1648	2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe	28
PID 1648 wrote to memory of 1236	1648	2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe	28
PID 1648 wrote to memory of 1236	1648	2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe	28
PID 1648 wrote to memory of 1236	1648	2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe	28
PID 1648 wrote to memory of 1236	1648	2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe	28
PID 1236 wrote to memory of 1940	1236	y2667631.exe	29
PID 1236 wrote to memory of 1940	1236	y2667631.exe	29
PID 1236 wrote to memory of 1940	1236	y2667631.exe	29
PID 1236 wrote to memory of 1940	1236	y2667631.exe	29
PID 1236 wrote to memory of 1940	1236	y2667631.exe	29
PID 1236 wrote to memory of 1940	1236	y2667631.exe	29
PID 1236 wrote to memory of 1940	1236	y2667631.exe	29
PID 1236 wrote to memory of 1888	1236	y2667631.exe	30
PID 1236 wrote to memory of 1888	1236	y2667631.exe	30
PID 1236 wrote to memory of 1888	1236	y2667631.exe	30
PID 1236 wrote to memory of 1888	1236	y2667631.exe	30
PID 1236 wrote to memory of 1888	1236	y2667631.exe	30
PID 1236 wrote to memory of 1888	1236	y2667631.exe	30
PID 1236 wrote to memory of 1888	1236	y2667631.exe	30

C:\Users\Admin\AppData\Local\Temp\2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe
"C:\Users\Admin\AppData\Local\Temp\2847a5df1eb8a7774573969a9b526a23220778742070d47537ea018fcd5def63.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2667631.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2667631.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9810836.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9810836.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8219231.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8219231.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2667631.exe

Filesize
307KB

MD5
5731f8d9a185750747904d08b748c7ce

SHA1
dedd634006c0c25584b99d1c7b42eac3eddcc692

SHA256
9ced290b8c0dc243e23ec6246cc8db4e45313810812ae10f94b3c7f93c9cc184

SHA512
3228d4f501b23d3cf5f783f25c8b167a7d28a2f5b5400616197b947d1bb0f16de3f546e73caeae035d3d509634abe3e23f9ee58d08ee740e9c1c00d449fe3864

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2667631.exe

Filesize
307KB

MD5
5731f8d9a185750747904d08b748c7ce

SHA1
dedd634006c0c25584b99d1c7b42eac3eddcc692

SHA256
9ced290b8c0dc243e23ec6246cc8db4e45313810812ae10f94b3c7f93c9cc184

SHA512
3228d4f501b23d3cf5f783f25c8b167a7d28a2f5b5400616197b947d1bb0f16de3f546e73caeae035d3d509634abe3e23f9ee58d08ee740e9c1c00d449fe3864

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9810836.exe

Filesize
175KB

MD5
e4c4d6e03e8a5c30e3f1bcfb8b64f69e

SHA1
64f61500bc2d41e9a2c4ceed7629ed79ea008219

SHA256
f1b5b4784c1966b7c54bd76719d8be0c9eb57ac210574a04547e7495857f578f

SHA512
842154cd3f6650055be8dc2dea66929c263d8f45ca19977a00e75e6fc7f4c9b37833d4e9e5eb012dab37eb6e81214c4e9ace68eef03b894a87447e55d6dbbd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9810836.exe

Filesize
175KB

MD5
e4c4d6e03e8a5c30e3f1bcfb8b64f69e

SHA1
64f61500bc2d41e9a2c4ceed7629ed79ea008219

SHA256
f1b5b4784c1966b7c54bd76719d8be0c9eb57ac210574a04547e7495857f578f

SHA512
842154cd3f6650055be8dc2dea66929c263d8f45ca19977a00e75e6fc7f4c9b37833d4e9e5eb012dab37eb6e81214c4e9ace68eef03b894a87447e55d6dbbd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8219231.exe

Filesize
136KB

MD5
1855c25869b96cab75e959563e200b1c

SHA1
3284894d02a549cab9facc9b9718969e4a01eec6

SHA256
95215a6ea05ad9086fcd33a96809644921c2a2ec0d5944aa47cf13e213460f10

SHA512
3d70db25e0dcc5317288a8768270232018c844f5ca0cb8493dfcdc41cd3fef63dbc6cc5cc55af066409ed1aa3da1de59e489d8004eb5b079a73fbb23e3104d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8219231.exe

Filesize
136KB

MD5
1855c25869b96cab75e959563e200b1c

SHA1
3284894d02a549cab9facc9b9718969e4a01eec6

SHA256
95215a6ea05ad9086fcd33a96809644921c2a2ec0d5944aa47cf13e213460f10

SHA512
3d70db25e0dcc5317288a8768270232018c844f5ca0cb8493dfcdc41cd3fef63dbc6cc5cc55af066409ed1aa3da1de59e489d8004eb5b079a73fbb23e3104d84

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2667631.exe

Filesize
307KB

MD5
5731f8d9a185750747904d08b748c7ce

SHA1
dedd634006c0c25584b99d1c7b42eac3eddcc692

SHA256
9ced290b8c0dc243e23ec6246cc8db4e45313810812ae10f94b3c7f93c9cc184

SHA512
3228d4f501b23d3cf5f783f25c8b167a7d28a2f5b5400616197b947d1bb0f16de3f546e73caeae035d3d509634abe3e23f9ee58d08ee740e9c1c00d449fe3864

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2667631.exe

Filesize
307KB

MD5
5731f8d9a185750747904d08b748c7ce

SHA1
dedd634006c0c25584b99d1c7b42eac3eddcc692

SHA256
9ced290b8c0dc243e23ec6246cc8db4e45313810812ae10f94b3c7f93c9cc184

SHA512
3228d4f501b23d3cf5f783f25c8b167a7d28a2f5b5400616197b947d1bb0f16de3f546e73caeae035d3d509634abe3e23f9ee58d08ee740e9c1c00d449fe3864

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9810836.exe

Filesize
175KB

MD5
e4c4d6e03e8a5c30e3f1bcfb8b64f69e

SHA1
64f61500bc2d41e9a2c4ceed7629ed79ea008219

SHA256
f1b5b4784c1966b7c54bd76719d8be0c9eb57ac210574a04547e7495857f578f

SHA512
842154cd3f6650055be8dc2dea66929c263d8f45ca19977a00e75e6fc7f4c9b37833d4e9e5eb012dab37eb6e81214c4e9ace68eef03b894a87447e55d6dbbd94

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9810836.exe

Filesize
175KB

MD5
e4c4d6e03e8a5c30e3f1bcfb8b64f69e

SHA1
64f61500bc2d41e9a2c4ceed7629ed79ea008219

SHA256
f1b5b4784c1966b7c54bd76719d8be0c9eb57ac210574a04547e7495857f578f

SHA512
842154cd3f6650055be8dc2dea66929c263d8f45ca19977a00e75e6fc7f4c9b37833d4e9e5eb012dab37eb6e81214c4e9ace68eef03b894a87447e55d6dbbd94

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8219231.exe

Filesize
136KB

MD5
1855c25869b96cab75e959563e200b1c

SHA1
3284894d02a549cab9facc9b9718969e4a01eec6

SHA256
95215a6ea05ad9086fcd33a96809644921c2a2ec0d5944aa47cf13e213460f10

SHA512
3d70db25e0dcc5317288a8768270232018c844f5ca0cb8493dfcdc41cd3fef63dbc6cc5cc55af066409ed1aa3da1de59e489d8004eb5b079a73fbb23e3104d84

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8219231.exe

Filesize
136KB

MD5
1855c25869b96cab75e959563e200b1c

SHA1
3284894d02a549cab9facc9b9718969e4a01eec6

SHA256
95215a6ea05ad9086fcd33a96809644921c2a2ec0d5944aa47cf13e213460f10

SHA512
3d70db25e0dcc5317288a8768270232018c844f5ca0cb8493dfcdc41cd3fef63dbc6cc5cc55af066409ed1aa3da1de59e489d8004eb5b079a73fbb23e3104d84

Download Submit
memory/1888-115-0x0000000007110000-0x0000000007150000-memory.dmp

Filesize
256KB

Download
memory/1888-114-0x0000000007110000-0x0000000007150000-memory.dmp

Filesize
256KB

Download
memory/1888-113-0x0000000001330000-0x0000000001358000-memory.dmp

Filesize
160KB

Download
memory/1940-85-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-103-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-89-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-91-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-93-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-95-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-97-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-99-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-101-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-87-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-104-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1940-105-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1940-106-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1940-83-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-81-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-79-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-77-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-76-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1940-75-0x0000000000480000-0x0000000000498000-memory.dmp

Filesize
96KB

Download
memory/1940-74-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download